Search for packages
| purl | pkg:rpm/redhat/automation-controller@4.5.7-1?arch=el9ap |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7ykv-qpec-9bey
Aliases: CVE-2024-3772 GHSA-mr82-8j83-vxmv |
Pydantic regular expression denial of service Regular expression denial of service in Pydantic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string. | There are no reported fixed by versions. |
|
VCID-bhkk-2b7c-wfgr
Aliases: CVE-2024-30251 GHSA-5m98-qgg9-wh84 |
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests ### Summary An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. ### Impact An attacker can stop the application from serving requests after sending a single request. ------- For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`): ```diff diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py index 227be605c..71fc2654a 100644 --- a/aiohttp/multipart.py +++ b/aiohttp/multipart.py @@ -338,6 +338,8 @@ class BodyPartReader: assert self._length is not None, "Content-Length required for chunked read" chunk_size = min(size, self._length - self._read_bytes) chunk = await self._content.read(chunk_size) + if self._content.at_eof(): + self._at_eof = True return chunk async def _read_chunk_from_stream(self, size: int) -> bytes: ``` This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in: https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866 | There are no reported fixed by versions. |
|
VCID-g6gg-vgks-xyeb
Aliases: CVE-2023-5752 GHSA-mq26-g339-26xf PYSEC-2023-228 |
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. | There are no reported fixed by versions. |
|
VCID-jh1e-72hp-fuf4
Aliases: BIT-django-2024-27351 CVE-2024-27351 GHSA-vm8q-m57g-pff3 PYSEC-2024-47 |
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T13:51:20.478550+00:00 | RedHat Importer | Affected by | VCID-g6gg-vgks-xyeb | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5752.json | 38.0.0 |
| 2026-04-01T13:49:24.018398+00:00 | RedHat Importer | Affected by | VCID-jh1e-72hp-fuf4 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27351.json | 38.0.0 |
| 2026-04-01T13:48:23.373019+00:00 | RedHat Importer | Affected by | VCID-7ykv-qpec-9bey | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-3772.json | 38.0.0 |
| 2026-04-01T13:47:54.794940+00:00 | RedHat Importer | Affected by | VCID-bhkk-2b7c-wfgr | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-30251.json | 38.0.0 |