python-3.8.8-hffdb5ce_0_cpython.tar.bz2: 9 vulnerabilities (highest severity is: 7.8) #10
Description
Vulnerable Library - python-3.8.8-hffdb5ce_0_cpython.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.8.8/linux-64/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2,/r/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Found in HEAD commit: fd25f8b654a14d4f2bf79da5b0c001061f2ab6c1
Vulnerabilities
| CVE | Severity | Dependency | Type | Fixed in (python version) | Remediation Available | |
|---|---|---|---|---|---|---|
| CVE-2022-42919 | 7.8 | python-3.8.8-hffdb5ce_0_cpython.tar.bz2 | Direct | v3.11.0 | ❌ | |
| CVE-2015-20107 | 7.6 | python-3.8.8-hffdb5ce_0_cpython.tar.bz2 | Direct | N/A | ❌ | |
| CVE-2022-45061 | 7.5 | python-3.8.8-hffdb5ce_0_cpython.tar.bz2 | Direct | N/A | ❌ | |
| CVE-2022-0391 | 7.5 | python-3.8.8-hffdb5ce_0_cpython.tar.bz2 | Direct | v3.6.14,v3.7.11,v3.8.11,v3.9.5,v3.10.0b1 | ❌ | |
| CVE-2020-10735 | 7.5 | python-3.8.8-hffdb5ce_0_cpython.tar.bz2 | Direct | N/A | ❌ | |
| CVE-2021-3737 | 7.5 | python-3.8.8-hffdb5ce_0_cpython.tar.bz2 | Direct | v3.6.14,v3.7.11 ,v3.8.11 ,v3.9.6,v3.10.0 | ❌ | |
| CVE-2021-28861 | 7.4 | python-3.8.8-hffdb5ce_0_cpython.tar.bz2 | Direct | v3.10.6 | ❌ | |
| CVE-2021-3733 | 6.5 | python-3.8.8-hffdb5ce_0_cpython.tar.bz2 | Direct | v3.9.5 | ❌ | |
| CVE-2007-4559 | 5.6 | python-3.8.8-hffdb5ce_0_cpython.tar.bz2 | Direct | N/A | ❌ |
Details
CVE-2022-42919
Vulnerable Library - python-3.8.8-hffdb5ce_0_cpython.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.8.8/linux-64/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2,/r/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Dependency Hierarchy:
- ❌ python-3.8.8-hffdb5ce_0_cpython.tar.bz2 (Vulnerable Library)
Found in HEAD commit: fd25f8b654a14d4f2bf79da5b0c001061f2ab6c1
Found in base branch: develop
Vulnerability Details
Python 3.9.x and 3.10.x through 3.10.8 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.4, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
Publish Date: 2022-11-07
URL: CVE-2022-42919
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-42919
Release Date: 2022-11-07
Fix Resolution: v3.11.0
Step up your Open Source Security Game with Mend here
CVE-2015-20107
Vulnerable Library - python-3.8.8-hffdb5ce_0_cpython.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.8.8/linux-64/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2,/r/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Dependency Hierarchy:
- ❌ python-3.8.8-hffdb5ce_0_cpython.tar.bz2 (Vulnerable Library)
Found in HEAD commit: fd25f8b654a14d4f2bf79da5b0c001061f2ab6c1
Found in base branch: develop
Vulnerability Details
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
Publish Date: 2022-04-13
URL: CVE-2015-20107
CVSS 3 Score Details (7.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2022-45061
Vulnerable Library - python-3.8.8-hffdb5ce_0_cpython.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.8.8/linux-64/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2,/r/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Dependency Hierarchy:
- ❌ python-3.8.8-hffdb5ce_0_cpython.tar.bz2 (Vulnerable Library)
Found in HEAD commit: fd25f8b654a14d4f2bf79da5b0c001061f2ab6c1
Found in base branch: develop
Vulnerability Details
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
Publish Date: 2022-11-09
URL: CVE-2022-45061
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2022-0391
Vulnerable Library - python-3.8.8-hffdb5ce_0_cpython.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.8.8/linux-64/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2,/r/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Dependency Hierarchy:
- ❌ python-3.8.8-hffdb5ce_0_cpython.tar.bz2 (Vulnerable Library)
Found in HEAD commit: fd25f8b654a14d4f2bf79da5b0c001061f2ab6c1
Found in base branch: develop
Vulnerability Details
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
Publish Date: 2022-02-09
URL: CVE-2022-0391
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0391
Release Date: 2022-02-09
Fix Resolution: v3.6.14,v3.7.11,v3.8.11,v3.9.5,v3.10.0b1
Step up your Open Source Security Game with Mend here
CVE-2020-10735
Vulnerable Library - python-3.8.8-hffdb5ce_0_cpython.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.8.8/linux-64/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2,/r/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Dependency Hierarchy:
- ❌ python-3.8.8-hffdb5ce_0_cpython.tar.bz2 (Vulnerable Library)
Found in HEAD commit: fd25f8b654a14d4f2bf79da5b0c001061f2ab6c1
Found in base branch: develop
Vulnerability Details
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
Publish Date: 2022-09-09
URL: CVE-2020-10735
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Step up your Open Source Security Game with Mend here
CVE-2021-3737
Vulnerable Library - python-3.8.8-hffdb5ce_0_cpython.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.8.8/linux-64/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2,/r/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Dependency Hierarchy:
- ❌ python-3.8.8-hffdb5ce_0_cpython.tar.bz2 (Vulnerable Library)
Found in HEAD commit: fd25f8b654a14d4f2bf79da5b0c001061f2ab6c1
Found in base branch: develop
Vulnerability Details
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
Publish Date: 2022-03-04
URL: CVE-2021-3737
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://python-security.readthedocs.io/vuln/urllib-100-continue-loop.html
Release Date: 2022-03-04
Fix Resolution: v3.6.14,v3.7.11 ,v3.8.11 ,v3.9.6,v3.10.0
Step up your Open Source Security Game with Mend here
CVE-2021-28861
Vulnerable Library - python-3.8.8-hffdb5ce_0_cpython.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.8.8/linux-64/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2,/r/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Dependency Hierarchy:
- ❌ python-3.8.8-hffdb5ce_0_cpython.tar.bz2 (Vulnerable Library)
Found in HEAD commit: fd25f8b654a14d4f2bf79da5b0c001061f2ab6c1
Found in base branch: develop
Vulnerability Details
** DISPUTED ** Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."
Mend Note: After conducting further research, Mend has determined that all versions of cpython up to version 3.10.6 are vulnerable to CVE-2021-28861.
Publish Date: 2022-08-23
URL: CVE-2021-28861
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2022-08-23
Fix Resolution: v3.10.6
Step up your Open Source Security Game with Mend here
CVE-2021-3733
Vulnerable Library - python-3.8.8-hffdb5ce_0_cpython.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.8.8/linux-64/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2,/r/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Dependency Hierarchy:
- ❌ python-3.8.8-hffdb5ce_0_cpython.tar.bz2 (Vulnerable Library)
Found in HEAD commit: fd25f8b654a14d4f2bf79da5b0c001061f2ab6c1
Found in base branch: develop
Vulnerability Details
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
Publish Date: 2022-03-10
URL: CVE-2021-3733
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2021-3733
Release Date: 2022-03-10
Fix Resolution: v3.9.5
Step up your Open Source Security Game with Mend here
CVE-2007-4559
Vulnerable Library - python-3.8.8-hffdb5ce_0_cpython.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/conda-forge/python/3.8.8/linux-64/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2,/r/anaconda3/pkgs/python-3.8.8-hffdb5ce_0_cpython.tar.bz2
Dependency Hierarchy:
- ❌ python-3.8.8-hffdb5ce_0_cpython.tar.bz2 (Vulnerable Library)
Found in HEAD commit: fd25f8b654a14d4f2bf79da5b0c001061f2ab6c1
Found in base branch: develop
Vulnerability Details
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Publish Date: 2007-08-28
URL: CVE-2007-4559
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Step up your Open Source Security Game with Mend here