VulnerableCode Package Details - pkg:deb/ubuntu/python3.5@3.5.2-2ubuntu0~16.04.11

Search for packages

Vulnerability	Summary	Fixed by
VCID-aer8-np52-aaan Aliases: CVE-2020-27619	In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.	3.5.2-2ubuntu0~16.04.13 Affected by 0 other vulnerabilities.
VCID-gk4y-9r2y-aaar Aliases: CVE-2021-3177	Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.	3.5.2-2ubuntu0~16.04.13 Affected by 0 other vulnerabilities.
VCID-s4tj-c35n-aaad Aliases: CVE-2020-26116	http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.	3.5.2-2ubuntu0~16.04.12 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-aer8-np52-aaan
Aliases:
CVE-2020-27619

In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.

3.5.2-2ubuntu0~16.04.13
Affected by 0 other vulnerabilities.

VCID-gk4y-9r2y-aaar
Aliases:
CVE-2021-3177

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

3.5.2-2ubuntu0~16.04.13
Affected by 0 other vulnerabilities.

VCID-s4tj-c35n-aaad
Aliases:
CVE-2020-26116

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

3.5.2-2ubuntu0~16.04.12
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ae3q-mde6-aaab	In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.	CVE-2019-20907
VCID-j7vm-npyj-aaaq	Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.	CVE-2019-9674
VCID-kdx7-ds63-aaab	CVE-2019-17514 python: potentially misleading information about whether sorting in library/glob.html	CVE-2019-17514
VCID-q9te-pzu8-aaae	Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.	CVE-2020-14422

Vulnerability

Summary

Aliases

VCID-ae3q-mde6-aaab

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

CVE-2019-20907

VCID-j7vm-npyj-aaaq

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.

CVE-2019-9674

VCID-kdx7-ds63-aaab

CVE-2019-17514 python: potentially misleading information about whether sorting in library/glob.html

CVE-2019-17514

VCID-q9te-pzu8-aaae

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.

CVE-2020-14422

Next non-vulnerable version	3.5.2-2ubuntu0~16.04.13
Latest non-vulnerable version	3.5.2-2ubuntu0~16.04.13
Risk	4.4