Package | Installed | Affected | Info |
---|---|---|---|
Flask | 0.12.2 | <0.12.3 |
show flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. |
Flask | 0.12.2 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Flask | 0.12.2 | <0.12.3 |
show Flask 0.12.3 includes a fix for CVE-2019-1010083: Unexpected memory usage. The impact is denial of service. The attack vector is crafted encoded JSON data. NOTE: this may overlap CVE-2018-1000656. https://github.com/pallets/flask/pull/2695/commits/0e1e9a04aaf29ab78f721cfc79ac2a691f6e3929 |
Package | Installed | Affected | Info |
---|---|---|---|
Flask | 0.11 | <0.12.3 |
show flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. |
Flask | 0.11 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Flask | 0.11 | <0.12.3 |
show Flask 0.12.3 includes a fix for CVE-2019-1010083: Unexpected memory usage. The impact is denial of service. The attack vector is crafted encoded JSON data. NOTE: this may overlap CVE-2018-1000656. https://github.com/pallets/flask/pull/2695/commits/0e1e9a04aaf29ab78f721cfc79ac2a691f6e3929 |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.9.6 | <0.12 |
show The defaults of 'generate_password_hash' in werkzeug 0.12 have been changed to more secure ones. https://github.com/pallets/werkzeug/pull/753 |
Werkzeug | 0.9.6 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.9.6 | >=0,<0.11.11 |
show This vulnerability occurs in certain versions of werkzeug where an attacker can initiate Cross-site Scripting (XSS) attacks using the plaintext variable on the debug page. |
Werkzeug | 0.9.6 | <0.11.11 |
show Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. |
Werkzeug | 0.9.6 | <0.11.6 |
show Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724. |
Werkzeug | 0.9.6 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.9.6 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
pycrypto | 2.6.1 | <=2.6.1 |
show Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. |
Package | Installed | Affected | Info |
---|---|---|---|
Flask | 0.11 | <0.12.3 |
show flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. |
Flask | 0.11 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Flask | 0.11 | <0.12.3 |
show Flask 0.12.3 includes a fix for CVE-2019-1010083: Unexpected memory usage. The impact is denial of service. The attack vector is crafted encoded JSON data. NOTE: this may overlap CVE-2018-1000656. https://github.com/pallets/flask/pull/2695/commits/0e1e9a04aaf29ab78f721cfc79ac2a691f6e3929 |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.9.6 | <0.12 |
show The defaults of 'generate_password_hash' in werkzeug 0.12 have been changed to more secure ones. https://github.com/pallets/werkzeug/pull/753 |
Werkzeug | 0.9.6 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.9.6 | >=0,<0.11.11 |
show This vulnerability occurs in certain versions of werkzeug where an attacker can initiate Cross-site Scripting (XSS) attacks using the plaintext variable on the debug page. |
Werkzeug | 0.9.6 | <0.11.11 |
show Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. |
Werkzeug | 0.9.6 | <0.11.6 |
show Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724. |
Werkzeug | 0.9.6 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.9.6 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
pycrypto | 2.6.1 | <=2.6.1 |
show Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. |
Package | Installed | Affected | Info |
---|---|---|---|
Flask | 0.11 | <0.12.3 |
show flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. |
Flask | 0.11 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Flask | 0.11 | <0.12.3 |
show Flask 0.12.3 includes a fix for CVE-2019-1010083: Unexpected memory usage. The impact is denial of service. The attack vector is crafted encoded JSON data. NOTE: this may overlap CVE-2018-1000656. https://github.com/pallets/flask/pull/2695/commits/0e1e9a04aaf29ab78f721cfc79ac2a691f6e3929 |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.9.6 | <0.12 |
show The defaults of 'generate_password_hash' in werkzeug 0.12 have been changed to more secure ones. https://github.com/pallets/werkzeug/pull/753 |
Werkzeug | 0.9.6 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.9.6 | >=0,<0.11.11 |
show This vulnerability occurs in certain versions of werkzeug where an attacker can initiate Cross-site Scripting (XSS) attacks using the plaintext variable on the debug page. |
Werkzeug | 0.9.6 | <0.11.11 |
show Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. |
Werkzeug | 0.9.6 | <0.11.6 |
show Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724. |
Werkzeug | 0.9.6 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.9.6 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
pycrypto | 2.6.1 | <=2.6.1 |
show Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. |
Package | Installed | Affected | Info |
---|---|---|---|
Flask | 0.11 | <0.12.3 |
show flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. |
Flask | 0.11 | <2.2.5 , >=2.3.0,<2.3.2 |
show Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met: 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets 'session.permanent = True' 3. The application does not access or modify the session at any point during a request. 4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default). 5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq |
Flask | 0.11 | <0.12.3 |
show Flask 0.12.3 includes a fix for CVE-2019-1010083: Unexpected memory usage. The impact is denial of service. The attack vector is crafted encoded JSON data. NOTE: this may overlap CVE-2018-1000656. https://github.com/pallets/flask/pull/2695/commits/0e1e9a04aaf29ab78f721cfc79ac2a691f6e3929 |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.9.6 | <0.12 |
show The defaults of 'generate_password_hash' in werkzeug 0.12 have been changed to more secure ones. https://github.com/pallets/werkzeug/pull/753 |
Werkzeug | 0.9.6 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.9.6 | >=0,<0.11.11 |
show This vulnerability occurs in certain versions of werkzeug where an attacker can initiate Cross-site Scripting (XSS) attacks using the plaintext variable on the debug page. |
Werkzeug | 0.9.6 | <0.11.11 |
show Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. |
Werkzeug | 0.9.6 | <0.11.6 |
show Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724. |
Werkzeug | 0.9.6 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.9.6 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
pycrypto | 2.6.1 | <=2.6.1 |
show Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. |
Package | Installed | Affected | Info |
---|---|---|---|
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.9.6 | <0.12 |
show The defaults of 'generate_password_hash' in werkzeug 0.12 have been changed to more secure ones. https://github.com/pallets/werkzeug/pull/753 |
Werkzeug | 0.9.6 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.9.6 | >=0,<0.11.11 |
show This vulnerability occurs in certain versions of werkzeug where an attacker can initiate Cross-site Scripting (XSS) attacks using the plaintext variable on the debug page. |
Werkzeug | 0.9.6 | <0.11.11 |
show Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. |
Werkzeug | 0.9.6 | <0.11.6 |
show Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724. |
Werkzeug | 0.9.6 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.9.6 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
pycrypto | 2.6.1 | <=2.6.1 |
show Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. |
Package | Installed | Affected | Info |
---|---|---|---|
pycrypto | 2.6.1 | <=2.6.1 |
show Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. |
Package | Installed | Affected | Info |
---|---|---|---|
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.9.6 | <0.12 |
show The defaults of 'generate_password_hash' in werkzeug 0.12 have been changed to more secure ones. https://github.com/pallets/werkzeug/pull/753 |
Werkzeug | 0.9.6 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.9.6 | >=0,<0.11.11 |
show This vulnerability occurs in certain versions of werkzeug where an attacker can initiate Cross-site Scripting (XSS) attacks using the plaintext variable on the debug page. |
Werkzeug | 0.9.6 | <0.11.11 |
show Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. |
Werkzeug | 0.9.6 | <0.11.6 |
show Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724. |
Werkzeug | 0.9.6 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.9.6 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
pycrypto | 2.6.1 | <=2.6.1 |
show Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. |
Package | Installed | Affected | Info |
---|---|---|---|
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q |
Werkzeug | 0.9.6 | <0.12 |
show The defaults of 'generate_password_hash' in werkzeug 0.12 have been changed to more secure ones. https://github.com/pallets/werkzeug/pull/753 |
Werkzeug | 0.9.6 | ==3.0.0 , <2.3.8 |
show Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks. https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 |
Werkzeug | 0.9.6 | >=0,<0.11.11 |
show This vulnerability occurs in certain versions of werkzeug where an attacker can initiate Cross-site Scripting (XSS) attacks using the plaintext variable on the debug page. |
Werkzeug | 0.9.6 | <0.11.11 |
show Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. |
Werkzeug | 0.9.6 | <0.11.6 |
show Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724. |
Werkzeug | 0.9.6 | >=0,<0.15.3 |
show Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. |
Werkzeug | 0.9.6 | <2.2.3 |
show Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323 |
Werkzeug | 0.9.6 | >=0,<0.15.5 |
show In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. |
pycrypto | 2.6.1 | <=2.6.1 |
show Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. |
https://pyup.io/repos/github/skytreader/alexandria/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/skytreader/alexandria/python-3-shield.svg)](https://pyup.io/repos/github/skytreader/alexandria/)
.. image:: https://pyup.io/repos/github/skytreader/alexandria/python-3-shield.svg :target: https://pyup.io/repos/github/skytreader/alexandria/ :alt: Python 3
<a href="https://pyup.io/repos/github/skytreader/alexandria/"><img src="https://pyup.io/repos/github/skytreader/alexandria/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/skytreader/alexandria/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/skytreader/alexandria/
{<img src="https://pyup.io/repos/github/skytreader/alexandria/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/skytreader/alexandria/]
https://pyup.io/repos/github/skytreader/alexandria/shield.svg
[![Updates](https://pyup.io/repos/github/skytreader/alexandria/shield.svg)](https://pyup.io/repos/github/skytreader/alexandria/)
.. image:: https://pyup.io/repos/github/skytreader/alexandria/shield.svg :target: https://pyup.io/repos/github/skytreader/alexandria/ :alt: Updates
<a href="https://pyup.io/repos/github/skytreader/alexandria/"><img src="https://pyup.io/repos/github/skytreader/alexandria/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/skytreader/alexandria/shield.svg(Updates)!:https://pyup.io/repos/github/skytreader/alexandria/
{<img src="https://pyup.io/repos/github/skytreader/alexandria/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/skytreader/alexandria/]