VulnerableCode Package Details - pkg:ebuild/dev-lang/python@3.12.0_alpha1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1p6r-bchy-pfdv	URL Redirection to Untrusted Site ('Open Redirect') A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.	CVE-2021-3654 GHSA-vqp6-j452-j6wp
VCID-51gu-vkcr-kkc9	Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."	CVE-2021-28861
VCID-61be-j2gw-5qb9	In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9	CVE-2015-20107
VCID-e7cq-r59p-dfe8	Buffer overflow in sponge queue functions Impact The Keccak sponge function interface accepts partial inputs to be absorbed and partial outputs to be squeezed. A buffer can overflow when partial data with some specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more. Patches Yes, see commit [fdc6fef0](https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a). Workarounds The problem can be avoided by limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Multiple calls to the queue system can be chained at a higher level to retain the original functionality. Alternatively, one can process the entire input (or produce the entire output) at once, avoiding the queuing functions altogether. References See [issue #105](https://github.com/XKCP/XKCP/issues/105) for more details.	CVE-2022-37454 GHSA-6w4m-2xhg-2658
VCID-e8xm-tnrk-43dq	In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.	CVE-2021-29921
VCID-jz3c-xk6p-mkgc	certificate verification bypass	CVE-2021-28363 GHSA-5phf-pp7p-vc2r PYSEC-2021-59
VCID-uukm-7j8v-k7eg	Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.	CVE-2022-42919
VCID-vjm2-2fd9-3qhg	An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.	CVE-2022-45061
VCID-vm8m-na8y-67et	A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.	CVE-2022-0391

Vulnerability

Summary

Aliases

VCID-1p6r-bchy-pfdv

URL Redirection to Untrusted Site ('Open Redirect') A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.

CVE-2021-3654
GHSA-vqp6-j452-j6wp

VCID-51gu-vkcr-kkc9

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

CVE-2021-28861

VCID-61be-j2gw-5qb9

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

CVE-2015-20107

VCID-e7cq-r59p-dfe8

Buffer overflow in sponge queue functions Impact The Keccak sponge function interface accepts partial inputs to be absorbed and partial outputs to be squeezed. A buffer can overflow when partial data with some specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more. Patches Yes, see commit [fdc6fef0](https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a). Workarounds The problem can be avoided by limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Multiple calls to the queue system can be chained at a higher level to retain the original functionality. Alternatively, one can process the entire input (or produce the entire output) at once, avoiding the queuing functions altogether. References See [issue #105](https://github.com/XKCP/XKCP/issues/105) for more details.

CVE-2022-37454
GHSA-6w4m-2xhg-2658

VCID-e8xm-tnrk-43dq

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

CVE-2021-29921

VCID-jz3c-xk6p-mkgc

certificate verification bypass

CVE-2021-28363
GHSA-5phf-pp7p-vc2r
PYSEC-2021-59

VCID-uukm-7j8v-k7eg

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.

CVE-2022-42919

VCID-vjm2-2fd9-3qhg

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

CVE-2022-45061

VCID-vm8m-na8y-67et

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

CVE-2022-0391

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T19:11:37.427092+00:00	Gentoo Importer	Fixing	VCID-vjm2-2fd9-3qhg	https://security.gentoo.org/glsa/202305-02	38.6.0
2026-06-04T19:11:37.327145+00:00	Gentoo Importer	Fixing	VCID-uukm-7j8v-k7eg	https://security.gentoo.org/glsa/202305-02	38.6.0
2026-06-04T19:11:37.226123+00:00	Gentoo Importer	Fixing	VCID-e7cq-r59p-dfe8	https://security.gentoo.org/glsa/202305-02	38.6.0
2026-06-04T19:11:37.122709+00:00	Gentoo Importer	Fixing	VCID-vm8m-na8y-67et	https://security.gentoo.org/glsa/202305-02	38.6.0
2026-06-04T19:11:37.017116+00:00	Gentoo Importer	Fixing	VCID-e8xm-tnrk-43dq	https://security.gentoo.org/glsa/202305-02	38.6.0
2026-06-04T19:11:36.917047+00:00	Gentoo Importer	Fixing	VCID-51gu-vkcr-kkc9	https://security.gentoo.org/glsa/202305-02	38.6.0
2026-06-04T19:11:36.810396+00:00	Gentoo Importer	Fixing	VCID-jz3c-xk6p-mkgc	https://security.gentoo.org/glsa/202305-02	38.6.0
2026-06-04T19:11:36.705334+00:00	Gentoo Importer	Fixing	VCID-1p6r-bchy-pfdv	https://security.gentoo.org/glsa/202305-02	38.6.0
2026-06-04T19:11:36.594103+00:00	Gentoo Importer	Fixing	VCID-61be-j2gw-5qb9	https://security.gentoo.org/glsa/202305-02	38.6.0