Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
Package | Installed | Affected | Info |
---|---|---|---|
lxml | 4.2.4 | <4.6.2 |
show Lxml 4.6.2 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. |
lxml | 4.2.4 | <4.9.1 |
show Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
lxml | 4.2.4 | <4.4.0 |
show In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'. https://github.com/lxml/lxml/commit/0245aba002f069a0b157282707bdf77418d1b5be |
lxml | 4.2.4 | <4.6.5 |
show Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. |
lxml | 4.2.4 | <4.6.3 |
show Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 |
lxml | 4.2.4 | <4.2.5 |
show Lxml 4.2.5 includes a fix for CVE-2018-19787: lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as demonstrated by "j a v a s c r i p t:" in Internet Explorer. This is a similar issue to CVE-2014-3146. |
Flask | 0.12.4 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Pillow | 6.2.2 | <=7.0.0 |
show In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25289: TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | >=0,<8.1.2 |
show Certain versions of Pillow are susceptible to a denial of service via memory consumption due to inadequate validation of the reported size of a contained image in a BLP container. This can result in attempts to allocate excessively large amounts of memory. To mitigate or avoid this vulnerability, users should consider updating to a newer version that addresses the issue or following any provided workarounds, such as avoiding the processing of specially crafted invalid image files that may trigger this condition. For additional details and potential updates, users may refer to the CVE-2021-27921 entry or contact the software maintainers through the provided channels. |
Pillow | 6.2.2 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 6.2.2 | <9.1.1 |
show Pillow 9.1.1 addresses the CVE-2022-30595: libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. |
Pillow | 6.2.2 | <7.1.0 |
show In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
Pillow | 6.2.2 | >=4.3.0,<8.1.1 |
show Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. |
Pillow | 6.2.2 | <8.0.1 |
show Pillow 8.0.1 updates 'FreeType' used in binary wheels to v2.10.4 to include a security fix. |
Pillow | 6.2.2 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Pillow | 6.2.2 | >=0,<8.2.0 |
show An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. |
Pillow | 6.2.2 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28676: For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos |
Pillow | 6.2.2 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28678: For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos |
Pillow | 6.2.2 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25291: In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25293: There is an out-of-bounds read in SGIRleDecode.c. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <7.1.0 |
show In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25288: There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.3.0 |
show Pillow 8.3.0 includes a fix for CVE-2021-34552: Pillow through 8.2.0 and PIL (also known as Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow https://pillow.readthedocs.io/en/stable/releasenotes/index.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <8.1.0 |
show Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175. |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-25292: The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.1 |
show Pillow 8.1.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html |
Pillow | 6.2.2 | <8.1.0 |
show In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. |
Pillow | 6.2.2 | <8.2.0 |
show Pillow 8.2.0 includes a fix for CVE-2021-25287: There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode |
Pillow | 6.2.2 | <8.2.0 |
show Pillow version 8.2.0 includes a fix for CVE-2021-28677: For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ https://github.com/python-pillow/Pillow/pull/5377 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open |
Pillow | 6.2.2 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 6.2.2 | >=5.2.0,<8.3.2 |
show Pillow from 5.2.0 and before 8.3.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html |
Pillow | 6.2.2 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 6.2.2 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Jinja2 | 2.11.2 | <2.11.3 |
show This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. |
Jinja2 | 2.11.2 | <3.1.3 |
show Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |
urllib3 | 1.25.8 | <1.26.17 , >=2.0.0a1,<2.0.5 |
show Urllib3 1.26.17 and 2.0.5 include a fix for CVE-2023-43804: Urllib3 doesn't treat the 'Cookie' HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a 'Cookie' header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f |
urllib3 | 1.25.8 | <1.25.9 |
show Urllib3 1.25.9 includes a fix for CVE-2020-26137: Urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. https://github.com/python/cpython/issues/83784 https://github.com/urllib3/urllib3/pull/1800 |
urllib3 | 1.25.8 | <1.26.5 |
show Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. https://github.com/advisories/GHSA-q2q7-5pp4-w6pg |
urllib3 | 1.25.8 | <1.26.18 , >=2.0.0a1,<2.0.7 |
show Urllib3 1.26.18 and 2.0.7 include a fix for CVE-2023-45803: Request body not stripped after redirect from 303 status changes request method to GET. https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4 |
gunicorn | 19.8.1 | <19.10.0 , >=20.0.0,<20.0.1 |
show Gunicorn 20.0.1 fixes chunked encoding support to prevent http request smuggling attacks. https://github.com/benoitc/gunicorn/issues/2176 https://github.com/p4k03n4t0r/http-request-smuggling#request-smuggling-using-mitmproxy-and-gunicorn |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.14.1 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.14.1 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.14.1 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.14.1 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
Flask-Admin | 1.5.2 | <=1.5.2 |
show Flask-Admin 1.5.3 includes a fix for CVE-2018-16516: Helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. https://github.com/flask-admin/flask-admin/pull/1699 |
Flask-Caching | 1.4.0 | <=1.10.1 |
show Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision. https://github.com/pallets-eco/flask-caching/pull/209 |
https://pyup.io/repos/github/scieloorg/opac/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/scieloorg/opac/python-3-shield.svg)](https://pyup.io/repos/github/scieloorg/opac/)
.. image:: https://pyup.io/repos/github/scieloorg/opac/python-3-shield.svg :target: https://pyup.io/repos/github/scieloorg/opac/ :alt: Python 3
<a href="https://pyup.io/repos/github/scieloorg/opac/"><img src="https://pyup.io/repos/github/scieloorg/opac/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/scieloorg/opac/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/scieloorg/opac/
{<img src="https://pyup.io/repos/github/scieloorg/opac/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/scieloorg/opac/]
https://pyup.io/repos/github/scieloorg/opac/shield.svg
[![Updates](https://pyup.io/repos/github/scieloorg/opac/shield.svg)](https://pyup.io/repos/github/scieloorg/opac/)
.. image:: https://pyup.io/repos/github/scieloorg/opac/shield.svg :target: https://pyup.io/repos/github/scieloorg/opac/ :alt: Updates
<a href="https://pyup.io/repos/github/scieloorg/opac/"><img src="https://pyup.io/repos/github/scieloorg/opac/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/scieloorg/opac/shield.svg(Updates)!:https://pyup.io/repos/github/scieloorg/opac/
{<img src="https://pyup.io/repos/github/scieloorg/opac/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/scieloorg/opac/]