Search for packages
Package details: pkg:deb/debian/python2.7@2.7.18-8
purl pkg:deb/debian/python2.7@2.7.18-8
Tags Ghost
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.4
Vulnerabilities affecting this package (13)
Vulnerability Summary Fixed by
VCID-1n4c-69xu-aaae
Aliases:
CVE-2021-3733
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-bdw7-d7up-aaaf
Aliases:
CVE-2021-4189
A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-gf6k-frsj-aaas
Aliases:
CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-hq7h-468r-aaad
Aliases:
CVE-2021-3737
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-ks3f-4xzz-aaae
Aliases:
CVE-2015-20107
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-npq4-yhwg-aaad
Aliases:
CVE-2022-48560
A use-after-free exists in Python through 3.9 via heappushpop in heapq.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-nuws-q4cw-aaae
Aliases:
CVE-2022-45061
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-q4am-rpfd-aaar
Aliases:
CVE-2022-48565
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-s4tj-c35n-aaad
Aliases:
CVE-2020-26116
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-ttvn-gv7h-aaaq
Aliases:
CVE-2022-0391
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-uudz-d713-aaah
Aliases:
CVE-2022-48566
An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-y1sw-wnzq-aaae
Aliases:
CVE-2023-24329
An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
VCID-y3pv-b3df-aaah
Aliases:
CVE-2021-23336
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
2.7.18-8+deb11u1
Affected by 7 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version